Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

HijackThis automated log analyzer! Submit a log and you will receive ALL the information we have in our DB's on everything on your system INSTANTLY!

sagate.exe


Click here to Run a Free Scan for sagate.exe Related Errors

sagate.exe
What is it?
sagate.exe is a file associated with the W32.gaobot.BOW worm

What does it do?
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be controlled through IRC channels

When W32.Gaobot.BOW is executed, it performs the following actions:

Copies itself as %System%sagate.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Adds the value:

"Sagate Security Firewall" = "sagate.exe"

to the registry keys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices

so that the W32.Gaobot.BOW runs when you start Windows.

Connects the backdoor component to the remote IRC server lud.b0b.org on TCP port 7000 and awaits commands from a remote attacker.

The backdoor allows the attacker to perform some of the following actions on the compromised system:
  • Download and execute files
  • Scan the network
  • List, stop, and start processes
  • Control the file system (Delete, create, and list files)
  • Launch Denial of Service (DoS) attacks
  • Perform port redirection
  • Start a socks proxy
  • Start an FTP server
  • Retrieve Windows product keys
Opens three randomly selected TCP ports.

Overwrites bystem%driversetchosts with the following lines:
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 ca.com
  • 127.0.0.1 www.ca.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 avp.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.viruslist.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 www.symantec.com
Attempts to copy itself to the following shares on randomly generated IP addresses:
  • admin$
  • print$
  • C$
  • D$
  • E$
using it's own list of user names and passwords

Sends HTTP GET messages to the following hosts (to measure connection speed):
  • yahoo.co.jp
  • www.nifty.com
  • www.d1asia.com
  • www.st.lib.keio.ac.jp
  • www.lib.nthu.edu.tw
  • www.above.net
  • www.level3.com
  • nitro.ucsc.edu
  • www.burst.net
  • www.cogentco.com
  • www.rit.edu
  • www.nocster.com
  • www.verio.com
  • www.stanford.edu
  • www.xo.net
  • de.yahoo.com
  • www.belwue.de
  • www.switch.ch
  • www.1und1.de
  • verio.fr
  • www.utwente.nl
  • www.schlund.net
Attempts to steal CD keys for a number of computer games

More info and Removal
@symantec

Fix sagate.exe Errors: Free Scan

Recommended: Free PC Speed Test - what is slowing down your PC?


sagate.exe is Spyware!

Too many connections
Startup DB Entries: